thr3ads.net - samba - [Samba] Strange DNS issue... [Jun 2021]

If this information is useful, please help other people find it:
Share via:

Rowland penny

2021-Jun-09 14:58 UTC

[Samba] Strange DNS issue...

On 09/06/2021 15:18, Marco Gaiarin via samba wrote:> Samba 4.9.18+dfsg-0.1stretch1, Louis package, i know i need to upgrade.
> A domain, 6 DC.
>
> I've still a separate DNS/DHCP setup, so client get DHCP and DNS
> addesses from another servers, in a different domain.
> Clearly, they have also a (forward) domain DNS name.
>
> Suddenly, by some days, i've some strange DNS issue. An example:
>
> Machine 'wilkie' boot and get addresses from primary DNS/DHCP
setup:
>
>   Jun  9 08:31:10 vdmsv1 dhcpd[23742]: DHCPOFFER on 10.5.2.220 to
34:64:a9:1c:1e:4a (WILKIE) via eth0
>   Jun  9 08:31:10 vdmsv1 named[10040]: client 127.0.0.1#31176/key sanvito:
updating zone 'dyn.sv.lnf.it/IN': adding an RR at
'WILKIE.dyn.sv.lnf.it' A 10.5.2.220
>   Jun  9 08:31:10 vdmsv1 named[10040]: client 127.0.0.1#31176/key sanvito:
updating zone 'dyn.sv.lnf.it/IN': adding an RR at
'WILKIE.dyn.sv.lnf.it' TXT
"318a9edb2b4f1eac9e8b7e1d6e41f75b84"
>   Jun  9 08:31:10 vdmsv1 dhcpd[23742]: DHCPREQUEST for 10.5.2.220
(10.5.1.3) from 34:64:a9:1c:1e:4a (WILKIE) via eth0
>   Jun  9 08:31:10 vdmsv1 dhcpd[23742]: DHCPACK on 10.5.2.220 to
34:64:a9:1c:1e:4a (WILKIE) via eth0
>   Jun  9 08:31:10 vdmsv1 dhcpd[23742]: Added new forward map from
WILKIE.dyn.sv.lnf.it to 10.5.2.220
>   Jun  9 08:31:10 vdmsv1 named[10040]: client 127.0.0.1#31176/key sanvito:
updating zone '2.5.10.in-addr.arpa/IN': adding an RR at
'220.2.5.10.in-addr.arpa' PTR WILKIE.dyn.sv.lnf.it.
>   Jun  9 08:31:11 vdmsv1 dhcpd[23742]: Added reverse map from
220.2.5.10.in-addr.arpa. to WILKIE.dyn.sv.lnf.it
>   Jun  9 08:36:11 vdmsv1 dhcpd[23742]: DHCPREQUEST for 10.5.2.220 from
34:64:a9:1c:1e:4a (WILKIE) via eth0
>   Jun  9 08:36:11 vdmsv1 dhcpd[23742]: DHCPACK on 10.5.2.220 to
34:64:a9:1c:1e:4a (WILKIE) via eth0
>   [...]
>
> At the same time, client register itself in domain DNS, on site
'SV',
> indeed with correct IP:
>
>   Jun  9 08:31:13 vdcsv1 named[664]: samba_dlz: allowing update of
signer=WILKIE\$\@AD.FVG.LNF.IT name=WILKIE.ad.fvg.lnf.it tcpaddr= type=A
key=1688-ms-7.1-4114.28c7707f-c8ec-11eb-64ab-3464a91c1e4a/160/0
>   Jun  9 08:31:13 vdcsv1 named[664]: client 10.5.2.220#52285/key
WILKIE\$\@AD.FVG.LNF.IT: updating zone 'ad.fvg.lnf.it/NONE': deleting an
RR at WILKIE.ad.fvg.lnf.it A
>   Jun  9 08:31:13 vdcsv1 named[664]: samba_dlz: subtracted rdataset
WILKIE.ad.fvg.lnf.it
'WILKIE.ad.fvg.lnf.it.#0111200#011IN#011A#01110.5.2.103'
>   Jun  9 08:31:14 vdcsv1 named[664]: samba_dlz: allowing update of
signer=WILKIE\$\@AD.FVG.LNF.IT name=WILKIE.ad.fvg.lnf.it tcpaddr= type=AAAA
key=1688-ms-7.2-42f8.28c7707f-c8ec-11eb-64ab-3464a91c1e4a/160/0
>   Jun  9 08:31:14 vdcsv1 named[664]: samba_dlz: allowing update of
signer=WILKIE\$\@AD.FVG.LNF.IT name=WILKIE.ad.fvg.lnf.it tcpaddr= type=A
key=1688-ms-7.2-42f8.28c7707f-c8ec-11eb-64ab-3464a91c1e4a/160/0
>   Jun  9 08:31:14 vdcsv1 named[664]: samba_dlz: allowing update of
signer=WILKIE\$\@AD.FVG.LNF.IT name=WILKIE.ad.fvg.lnf.it tcpaddr= type=A
key=1688-ms-7.2-42f8.28c7707f-c8ec-11eb-64ab-3464a91c1e4a/160/0
>   Jun  9 08:31:14 vdcsv1 named[664]: client 10.5.2.220#50264/key
WILKIE\$\@AD.FVG.LNF.IT: updating zone 'ad.fvg.lnf.it/NONE': deleting
rrset at 'WILKIE.ad.fvg.lnf.it' AAAA
>   Jun  9 08:31:14 vdcsv1 named[664]: client 10.5.2.220#50264/key
WILKIE\$\@AD.FVG.LNF.IT: updating zone 'ad.fvg.lnf.it/NONE': deleting
rrset at 'WILKIE.ad.fvg.lnf.it' A
>   Jun  9 08:31:14 vdcsv1 named[664]: client 10.5.2.220#50264/key
WILKIE\$\@AD.FVG.LNF.IT: updating zone 'ad.fvg.lnf.it/NONE': adding an
RR at 'WILKIE.ad.fvg.lnf.it' A 10.5.2.220
>   Jun  9 08:31:14 vdcsv1 named[664]: samba_dlz: added rdataset
WILKIE.ad.fvg.lnf.it
'WILKIE.ad.fvg.lnf.it.#0111200#011IN#011A#01110.5.2.220'
>   Jun  9 08:31:14 vdcsv1 named[664]: samba_dlz: allowing update of
signer=WILKIE\$\@AD.FVG.LNF.IT name=WILKIE.ad.fvg.lnf.it tcpaddr= type=AAAA
key=1688-ms-7.2-42f8.28c7707f-c8ec-11eb-64ab-3464a91c1e4a/160/0
>   Jun  9 08:31:14 vdcsv1 named[664]: samba_dlz: allowing update of
signer=WILKIE\$\@AD.FVG.LNF.IT name=WILKIE.ad.fvg.lnf.it tcpaddr= type=A
key=1688-ms-7.2-42f8.28c7707f-c8ec-11eb-64ab-3464a91c1e4a/160/0
>   Jun  9 08:31:14 vdcsv1 named[664]: samba_dlz: allowing update of
signer=WILKIE\$\@AD.FVG.LNF.IT name=WILKIE.ad.fvg.lnf.it tcpaddr= type=A
key=1688-ms-7.2-42f8.28c7707f-c8ec-11eb-64ab-3464a91c1e4a/160/0
>   Jun  9 08:31:14 vdcsv1 named[664]: client 10.5.2.220#53932/key
WILKIE\$\@AD.FVG.LNF.IT: updating zone 'ad.fvg.lnf.it/NONE': deleting
rrset at 'WILKIE.ad.fvg.lnf.it' AAAA
>   Jun  9 08:31:14 vdcsv1 named[664]: client 10.5.2.220#53932/key
WILKIE\$\@AD.FVG.LNF.IT: updating zone 'ad.fvg.lnf.it/NONE': deleting
rrset at 'WILKIE.ad.fvg.lnf.it' A
>   Jun  9 08:31:14 vdcsv1 named[664]: samba_dlz: subtracted rdataset
WILKIE.ad.fvg.lnf.it
'WILKIE.ad.fvg.lnf.it.#0111200#011IN#011A#01110.5.2.220'
>   Jun  9 08:31:14 vdcsv1 named[664]: client 10.5.2.220#53932/key
WILKIE\$\@AD.FVG.LNF.IT: updating zone 'ad.fvg.lnf.it/NONE': adding an
RR at 'WILKIE.ad.fvg.lnf.it' A 10.5.2.220
>   Jun  9 08:31:14 vdcsv1 named[664]: samba_dlz: added rdataset
WILKIE.ad.fvg.lnf.it
'WILKIE.ad.fvg.lnf.it.#0111200#011IN#011A#01110.5.2.220'
>   Jun  9 08:31:14 vdcsv1 named[664]: samba_dlz: allowing update of
signer=WILKIE\$\@AD.FVG.LNF.IT name=WILKIE.ad.fvg.lnf.it tcpaddr= type=AAAA
key=1688-ms-7.2-42f8.28c7707f-c8ec-11eb-64ab-3464a91c1e4a/160/0
>   Jun  9 08:31:14 vdcsv1 named[664]: samba_dlz: allowing update of
signer=WILKIE\$\@AD.FVG.LNF.IT name=WILKIE.ad.fvg.lnf.it tcpaddr= type=A
key=1688-ms-7.2-42f8.28c7707f-c8ec-11eb-64ab-3464a91c1e4a/160/0
>   Jun  9 08:31:14 vdcsv1 named[664]: samba_dlz: allowing update of
signer=WILKIE\$\@AD.FVG.LNF.IT name=WILKIE.ad.fvg.lnf.it tcpaddr= type=A
key=1688-ms-7.2-42f8.28c7707f-c8ec-11eb-64ab-3464a91c1e4a/160/0
>   Jun  9 08:31:14 vdcsv1 named[664]: client 10.5.2.220#63100/key
WILKIE\$\@AD.FVG.LNF.IT: updating zone 'ad.fvg.lnf.it/NONE': deleting
rrset at 'WILKIE.ad.fvg.lnf.it' AAAA
>   Jun  9 08:31:14 vdcsv1 named[664]: client 10.5.2.220#63100/key
WILKIE\$\@AD.FVG.LNF.IT: updating zone 'ad.fvg.lnf.it/NONE': deleting
rrset at 'WILKIE.ad.fvg.lnf.it' A
>   Jun  9 08:31:14 vdcsv1 named[664]: samba_dlz: subtracted rdataset
WILKIE.ad.fvg.lnf.it
'WILKIE.ad.fvg.lnf.it.#0111200#011IN#011A#01110.5.2.220'
>   Jun  9 08:31:14 vdcsv1 named[664]: client 10.5.2.220#63100/key
WILKIE\$\@AD.FVG.LNF.IT: updating zone 'ad.fvg.lnf.it/NONE': adding an
RR at 'WILKIE.ad.fvg.lnf.it' A 10.5.2.220
>   Jun  9 08:31:14 vdcsv1 named[664]: samba_dlz: added rdataset
WILKIE.ad.fvg.lnf.it
'WILKIE.ad.fvg.lnf.it.#0111200#011IN#011A#01110.5.2.220'
>
>
> If now i query DNS in their site, i get correct result:
>
>   gaio at hermione:~$ dig a wilkie.ad.fvg.lnf.it @vdcsv1.ad.fvg.lnf.it |
grep ^wilkie
>   wilkie.ad.fvg.lnf.it.	1200	IN	A	10.5.2.220
>   gaio at hermione:~$ dig a wilkie.ad.fvg.lnf.it @vdcsv2.ad.fvg.lnf.it |
grep ^wilkie
>   wilkie.ad.fvg.lnf.it.	1200	IN	A	10.5.2.220
>
> but if i query DNS for other site DCs, i get incorrect result:
>
>   gaio at hermione:~$ dig a wilkie.ad.fvg.lnf.it @vdcpp1.ad.fvg.lnf.it |
grep ^wilkie
>   wilkie.ad.fvg.lnf.it.	1200	IN	A	10.5.2.57
>   gaio at hermione:~$ dig a wilkie.ad.fvg.lnf.it @vdcpp2.ad.fvg.lnf.it |
grep ^wilkie
>   wilkie.ad.fvg.lnf.it.	1200	IN	A	10.5.2.171
>   gaio at hermione:~$ dig a wilkie.ad.fvg.lnf.it @vdc3t1.ad.fvg.lnf.it |
grep ^wilkie
>   wilkie.ad.fvg.lnf.it.	1200	IN	A	10.5.2.57
>   gaio at hermione:~$ dig a wilkie.ad.fvg.lnf.it @vdctms1.ad.fvg.lnf.it |
grep ^wilkie
>   wilkie.ad.fvg.lnf.it.	1200	IN	A	10.5.2.57
>
>
> Note that basic things like 'samba-tool drs showrepl' and
> 'samba-tool ldapcmp ldap://vdcsv1 ldap://vdcpp2 -U Administrator'
show
> no replication differences or errors.
>
>
> What happens?! Thanks.
>
Why do you think I went to all the trouble to write this:

https://wiki.samba.org/index.php/Configure_DHCP_to_update_DNS_records_with_BIND9

You need to use the dns from your DC's , though you can get your main 
dns servers to forward requests for the AD domain to the AD DC's.

Putting it simply, your AD dns is broken.

Rowland

Marco Gaiarin

2021-Jun-09 15:36 UTC

head link

[Samba] Strange DNS issue...

Mandi! Rowland penny via samba
  In chel di` si favelave...
> Why do you think I went to all the trouble to write this:
>
https://wiki.samba.org/index.php/Configure_DHCP_to_update_DNS_records_with_BIND9
> You need to use the dns from your DC's , though you can get your main
dns
> servers to forward requests for the AD domain to the AD DC's.
> Putting it simply, your AD dns is broken.
It worked until last week. If i remember well, dhcp/dns registration it
is needed for reverse zone, but reverse zone is not required (and i can
confirm that, because i'm running the domain by 2 year without reverse
zones...).


Anyway, something seems to have broken my DNS setup, something that:

	samba-tool ldapcmp ldap://vdcsv1 ldap://vdcpp2 -U Administrator

does not catch. How can i debug this?


Thanks.

-- 
dott. Marco Gaiarin				        GNUPG Key ID: 240A3D66
  Associazione ``La Nostra Famiglia''         
http://www.lanostrafamiglia.it/
  Polo FVG   -   Via della Bont?, 7 - 33078   -   San Vito al Tagliamento (PN)
  marco.gaiarin(at)lanostrafamiglia.it   t +39-0434-842711   f +39-0434-842797

		Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA!
      http://www.lanostrafamiglia.it/index.php/it/sostienici/5x1000
	(cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA)

samba - Jun 2021 - Strange DNS issue...

[Samba] Strange DNS issue...

[Samba] Strange DNS issue...